Search form

Search

Rick McElroy, Security Strategist, Carbon Black

Rick McElroy, security strategist for Carbon Black, has more than 15 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing, and higher education.

McElroy’s experience ranges from performing penetration testing to building and leading security programs. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), and Certified in Risk and Information Systems Control (CRISC). As a United States Marine, McElroy’s work included physical security and counterterrorism services.

A fierce advocate for privacy and security who believes education and innovation are the keys to improving the security landscape, McElroy is program chair for the Securing Our eCity Foundation’s annual CyberFest, a San Diego event dedicated to educating public and private sector security and IT professionals and business executives on the realities of security.

Carbon Black is the leader in next-generation endpoint security. IDC, in its latest specialized threat analysis and protection (STAP) report, named Carbon Black the leader in the endpoint security segment with 37% market share. By the end of 2015 the company expects to achieve 70 percent growth, 7 million+ software licenses sold, almost 2,000 customers worldwide, partnerships with 60+ leading managed security service providers and incident response companies, and integrations with 30+ leading security technology providers. For more information, visit https://www.carbonblack.com/.

In my previous blog, I discussed my intent to highlight the 10 most important questions CEOs should be asking their teams, through a series of blog posts.

As the first blog in this series, let’s start with the first question CEOs should ask: “How can the structure of the team in-charge help us to better manage risk?”

By answering this, you will gain insight into the overall structure and maturity of risk management in your organization. Here are some guiding questions to help you kickstart the process of achieving a well-defined risk management strategy:

Who is actually responsible for managing and accepting risk in the organization?

Do you have someone responsible for risk management? Is there someone responsible for information security? Is someone responsible for compliance (if applicable)
Is this decentralized or centralized? How many staff members are dedicated to managing risk?

Your team should be able to describe how the overall program is managed and organized.

Bonus points for organizations who have these answers ready for external auditors or customers who may ask. Risk response must be on-time, immediate and should not need a long data-gathering exercise.

What is our risk tolerance?

CEOs and boards should drive the acceptable level of risk tolerance for an organization.

“Risk tolerance is defined as the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame. An organization’s risk tolerance level is the amount of corporate data and systems that can be risked to an acceptable level. Having a defined risk tolerance level means the security program knows the degree that management requires the organization to be protected against the threats they face.”

Giving tolerance guidance to your team will ensure they align to your Commander’s intent – the purpose and conditions that describe your idea of a successful outcome of a mission – and allow them to manage risk at appropriate levels.

When is risk being considered?

Is it baked into the upstream decision-making process or is it considered throughout the life cycle of the business?

Your team should help you understand where risk decisions are being made and if the gates are commensurate with the risk. This will also speak to the maturity of your risk management program.

Where is the current list of risks?

Risks come in all shapes and forms. Some risks are really business opportunities waiting to be taken advantage of. Organizations that can manage risk well will not only do a better job of protecting itself from cyber threats but will also gain a long-term competitive advantage. Risk is not always inherently a bad thing.

For most organizations risks will fall into the following category:

Compliance/Regulatory Risks

Security Risks

Financial Risks

Privacy Risks

Industry and Competitive Risks

Management Risks

Knowing where to get appropriate information in a timely fashion is crucial to making accurate risk-based decisions. For example, mature organizations have moved necessary sources to online dashboards to update downstream risk data in real-time.

How are risks being managed and communicated? What’s the cadence of meetings?

This final question will allow you, as the CEO, to understand whether your organization embraces open and transparent risk discussions and identify unknown risks that are not detected, communicated or managed appropriately. This will also ensure risk discussions are a part of the ongoing business process and not just when risks uncover.